[Freeipa-users] Clone URI does not match available subsystems ?
John Bowman
john.bowman at zayo.com
Wed Aug 17 15:41:38 UTC 2016
Howdy!
Trying to figure out how to get past the error: Clone URI does not match
available subsystems when running ipa-ca-install on new ipa server.
A little background. We have 3 FreeIPA 3.0.0 servers running on RHEL 6.7.
We just recently (within the last month) added a new FreeIPA 4.2 server
replica running on RHEL 7.2 at a new location which will hopefully be the
start of replacing all the 3.0.0 instances.
Unfortunately during the 4.2 install the --setup-ca was failing so we
decided to install without it to make sure everything else worked. And it
did everything seems to be replicating properly and all is good.
Now its time to add the ca replication to the new server but its failing
with that error.
Command output:
# ipa-ca-install --skip-conncheck /var/lib/ipa/replica-info-new-
server.example.com.gpg
Directory Manager (existing master) password:
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
seconds
[1/22]: creating certificate server user
[2/22]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure
CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp7cBK9P''
returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation
logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
CA configuration failed.
ipareplica-ca-install.log output:
2016-08-17T15:25:52Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.
20160817092533.log
Loading deployment configuration from /tmp/tmp7cBK9P.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-
tomcat/ca/deployment.cfg.
Installation failed.
2016-08-17T15:25:52Z DEBUG
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
InsecureRequestWarning: Unverified HTT
PS request is being made. Adding certificate verification is strongly
advised. See: https://urllib3.readthedocs.org/en/latest/security.h
tml
InsecureRequestWarning)
pkispawn : WARNING ....... unable to validate security domain
user/password through REST interface. Interface not available
pkispawn : ERROR ....... Exception from Java Configuration Servlet:
400 Client Error: Bad Request
pkispawn : ERROR ....... ParseError: not well-formed (invalid token):
line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName"
:"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Clone
URI does not match available subsystems: https://master.idm.example.com:443
<https://master.idm.example.com/>"}
2016-08-17T15:25:52Z CRITICAL Failed to configure CA instance: Command
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp7cBK9P'' returned n
on-zero exit status 1
2016-08-17T15:25:52Z CRITICAL See the installation logs and the following
files/directories for more information:
2016-08-17T15:25:52Z CRITICAL /var/log/pki-ca-install.log
2016-08-17T15:25:52Z CRITICAL /var/log/pki/pki-tomcat
2016-08-17T15:25:52Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 622, in __spawn_instance
DogtagInstance.spawn_instance(self, cfg_file)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 201, in spawn_instance
self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 465, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.
2016-08-17T15:25:52Z DEBUG [error] RuntimeError: CA configuration failed.
2016-08-17T15:25:52Z DEBUG File "/usr/lib/python2.7/site-
packages/ipaserver/install/installutils.py", line 732, in run_script
return_value = main_function()
File "/sbin/ipa-ca-install", line 202, in main
install_replica(safe_options, options, filename)
File "/sbin/ipa-ca-install", line 150, in install_replica
ca.install(True, config, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line
114, in install
install_step_0(standalone, replica_config, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line
138, in install_step_0
ra_p12=getattr(options, 'ra_p12', None))
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 1545, in install_replica_ca
subject_base=config.subject_base)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 488, in configure_instance
self.start_creation(runtime=210)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 622, in __spawn_instance
DogtagInstance.spawn_instance(self, cfg_file)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 201, in spawn_instance
self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 465, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
2016-08-17T15:25:52Z DEBUG The ipa-ca-install command failed, exception:
RuntimeError: CA configuration failed.
****
I've tried running the pkispawn command manually by using the
deployment.cfg file but it gives the same error:
# pkidestroy -s CA -i pki-tomcat
Log file: /var/log/pki/pki-ca-destroy.20160817093402.log
Loading deployment configuration from /var/lib/pki/pki-tomcat/ca/
registry/ca/deployment.cfg.
Uninstalling CA from /var/lib/pki/pki-tomcat.
pkidestroy : WARNING ....... this 'CA' entry will NOT be deleted from
security domain 'unknown'!
pkidestroy : ERROR ....... No security domain defined.
If this is an unconfigured instance, then that is OK.
Otherwise, manually delete the entry from the security domain master.
Uninstallation complete.
# /usr/sbin/pkispawn -s CA -f /tmp/replica_file
Log file: /var/log/pki/pki-ca-spawn.20160817093444.log
Loading deployment configuration from /tmp/replica_file.
/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
pkispawn : WARNING ....... unable to validate security domain
user/password through REST interface. Interface not available
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-
tomcat/ca/deployment.cfg.
pkispawn : ERROR ....... Exception from Java Configuration Servlet:
400 Client Error: Bad Request
pkispawn : ERROR ....... ParseError: not well-formed (invalid token):
line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.
certsrv.base.BadRequestException","Code":400,"Message":"Clone URI does not
match available subsystems: https://master.idm.example.com:443
<https://master.idm.example.com/>"}
Installation failed.
Any ideas on how to proceed would be much appreciated!
Thanks!
-John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160817/67f7b5ec/attachment.htm>
More information about the Freeipa-users
mailing list